-
Notifications
You must be signed in to change notification settings - Fork 208
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Feature Request: "public" version of secp256k1_musig_partial_sign to get public key of psig #217
Comments
Thanks for the writeup. I can see why this feature would be useful. What would be important to know is whether you actually want to "simulate" a MuSig partial signature or just a BIP340 signature. It seems like the settlement transaction could just as well use a 2-of-2 CSA script. There are pro's and con's of course to either approach, but I'm wondering why you don't use one approach consistently in both update and settlement transaction. We don't have BIP 340 adaptor sigs right now (#191)
I think Alice can just use a BIP 340 adaptor sig (once there is library support). |
The idea is that you use "2-of-2 CSA" to spend the funding output via the update tx in order to have an adaptor signature that will reveal a secret if completed while only needing a single communication round, but you use musig2 everywhere else in order to reduce on-chain footprint. Adding the 2-of-2 path for spending the funding output is free -- in normal circumstances the funding output is in the utxo set so doesn't need APO abilities, and we can just do musig2 via the key path. Providing a 2-of-2 CSA path when spending the update tx via the settlement tx would add 32+ witness bytes to every settlement tx (due to going from 1 to 2 tapscripts, which I think would be the most efficient way of doing this). With two CSA scripts, Alice would calculate Bob's signature for Alice's settlement tx But aiming for minimal onchain footprint, we change the settlement tx to use musig2, so the signature Alice needs for her settlement tx becomes |
Ok thanks. That explains why
Ah, you're calling this a "1-of-1 MuSig2 session" because, similar to MuSig, nonce generation and signing are two separate steps. Using the libsecp-zkp musig module should work for this, but it would preferably be done with a much simpler API. |
👍
Well, the key bit is you're committing to a nonce in advance, with a (possible) adversary being able to choose the message for you to sign after knowing your nonce commitment. I guess I'm also calling it "1-of-1 musig2" because I'm hoping it falls under the musig security proof rather than needing its own :) |
Without having understood the entire use case: Yes, sending out the nonce and only then getting the message, is covered by the MuSig2 security proof as "1-of-1" effectively. |
@jonasnick told me to post this for visibility. Invented originally by @ajtowns because he was chagrined by my current solution to the problem at hand.
First, a bit of motivation.
In ln-symmetry(eltoo) channels I have sketched out and implemented as well as other channel constructions, there is a desire to keep channel updates at least in the two party case to half a round trip. Alice sends an update with a signature, and Bob can immediately forward any HTLCs required without delay. This improves latency, and simplifies the channel state machine.
These types of channels have two stages of presigned transactions, in the ln-symmetry case, we have two symmetric transactions per channel update:
If Alice wants to send an update to Bob, she cannot send both a signature for the update and settlement transactions, since Bob could take the update transaction to chain, and withhold a signature for the follow-up settlement transaction. The safe course is to send the settlement signature first, wait for Bob to hand his update signature, then respond with her update signature, increasing the RTT to 1.5 instead of 0.5 RTT.
Here's an alternative approach using adaptor signatures that I believe achieves the original goal:
secp256k1_musig_partial_simulate
on the settlement transaction, which allows Alice to "simulate" partial signing routine for any public key in the session, outputtings*G
rather thans
since that can be computed for any party.s*G
as the adaptor for her update transaction's signature (1-of-1 MuSig session?)s
, allowing Alice to complete the settlement transaction.TL;DR: the adapter signature is a fair exchange of Alice's update signature and Bob's settlement partial signature.
The text was updated successfully, but these errors were encountered: